From afe2b1fadd29149ceed639357e44e06e97c3a5ca Mon Sep 17 00:00:00 2001
From: Jesse Hall <jessehall@google.com>
Date: Tue, 21 Oct 2014 11:09:17 -0700
Subject: [PATCH] surfaceflinger: don't close fence fds after passing to
 queueBuffer

ANativeWindow::queueBuffer takes ownership of the fence fd passed to
it, and will close it before returning. SurfaceFlinger's screenshot
code was also closing the syncFd it passed to queueBuffer. Most of the
time this meant the second close() silently failed, but in a rare race
condition the file descriptor could be reused between the two
close()s.

Bug: 17946343
Change-Id: Ib74fcb1dce52cc21328059c99b7c4c76f41aa3a5
---
 services/surfaceflinger/SurfaceFlinger.cpp | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 419b24620..96a8adbaf 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -3247,10 +3247,8 @@ status_t SurfaceFlinger::captureScreenImplLocked(
                 } else {
                     result = BAD_VALUE;
                 }
+                // queueBuffer takes ownership of syncFd
                 window->queueBuffer(window, buffer, syncFd);
-                if (syncFd != -1) {
-                    close(syncFd);
-                }
             }
         } else {
             result = BAD_VALUE;